Web & Software Developer

Let’s Encrypt SSL Certificate on GoDaddy Shared cPanel Hosting

These are the steps to create and install a Let’s Encrypt SSL certificate on your GoDaddy shared hosting account. While these steps have been tested on Godaddy shared cPanel hosting, they should work for any shared hosting company that has cPanel. This doesn’t work with GoDaddy’s classic web hosting because it doesn’t have cPanel.

This is how to get a Let’s Encrypt SSL certificate in manual mode. Manual mode is the way you have to do it with shared hosting (if your shared host is still not providing an easy or automated way to add Let’s Encrypt certificates to your hosting acccount). Manual mode means that you are creating the certificate on your own local computer, and then uploading the certificate to your hosting account.

These steps show you how to also add the SSL certificate on multiple “Addon Domains.” Let’s Encrypt lets you create a “Multi-domain” certificate, also known as a “UC” or “UCC” certificate. This works on GoDaddy shared cPanel hosting to cover all of your sites and subdomains on that account.

These steps assume that:

Your local computer has a UNIX-like operating system (e.g. Mac, Ubuntu etc). If you’re local computer is Windows, these steps will not work.

You’re working from a command line terminal.

You have SSH access to the hosting account. (You can enable SSH access in your GoDaddy cPanel, under “Security,” click SSH Access.)

Part 1: Get the certbot Client

Install certbot on your local machine:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Part 2: Create the Multi-Domain SSL Certificate

Initiate the SSL certificate creation process:

./certbot-auto certonly --manual

Next, it will ask you to type all of your domains which you want covered by the SSL certificate. Separate domains by a comma. Be sure to include both your www domain and your non-www one. For example, type:

yoursite.com,www.yoursite.com

or, for more domains:

yoursite.com,www.yoursite.com,othersite.com,www.othersite.com

also, add any subdomains:

subdomain.yoursite.com,blog.yoursite.com

You will get this message:

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:

Answer “Yes” to this message by typing Y and pressing Enter. Leave this terminal window open (we’ll call this Terminal 1).

At this point, open a separate terminal window (we’ll call this Terminal 2).

In Terminal 2, make an SSH connection to your hosting account. In the line below, replace YOUR_USERNAME with your cPanel user name. If you don’t know your cPanel user name, look in your cPanel, under the “Files” section. Click “FTP Accounts.” The “Log In” name is the user name. Also, replace “yoursite.com” with your own site:

ssh YOUR_USERNAME@yoursite.com

For the next several steps, you’re going to be switching between the 2 terminals.

The Following Steps in Part 2 (steps 7 — 12) Will Have To Be Repeated For Each Domain and/or Subdomain.

Back in Terminal 1, you should have a message like this:

-------------------------------------------------------------------------------
Create a file containing just this data:
ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0.zlInmCy7UgqfujZl9OUluaOC86_5PUZRhOstad8xd9o
And make it available on your web server at this URL:
http://yoursite.com/.well-known/acme-challenge/ELG_aAEG4FS2ZDJpxaCfXLGjQh4E3U0P-IVO_Qok5e0
-------------------------------------------------------------------------------
Press Enter to Continue

From your own terminal, copy the part of line 8, beginning with .well-known, to the end of that line (it’s line 8 in the sample above–however copy it from your own terminal 1, not from above). DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.

Back in terminal 2, navigate to the root directory of the site which the first terminal is referencing. Look back at the message in the first terminal, line 8 where it shows the site in reference (this is necessary if you have multiple “addon” domains.)

In Terminal 2, in your site’s root directory, make the required directories, “.well-known” and “acme-challenge” like this:

mkdir -p .well-known/acme-challenge

Still in Terminal 2, create the required file like this. In the terminal, type vi and then paste the line which you copied in step 8. (You should be able to paste with CTRL + Shift + V .) Then press Enter. This will open a new file in your terminal. Go back to Terminal 1, copy the entire line 4. (DO NOT COPY with CTRL + C inside the terminal. Highlight, then right-click, then select “Copy.” Be careful not to press ENTER at this point.) Come back to terminal 2 and paste that data. To save this new file to your server in terminal 2, press the Esc key. Then type, :wq and press Enter.

At this point, if you want to confirm that this step has worked, then open a web browser window. Go to the page on your website that is given by the URL address in terminal 1, line 8.

On that web page, you should see a long line of letters and numbers. This should be exactly the same as what is shown in terminal 1 on line 4.

If this is correct, you can proceed.

Go back to the first terminal. It should still say at the bottom, “Press Enter to Continue.” Now you can press Enter.

It will walk you through repeating these steps (7 — 12) for each domain and subdomain that you listed for the certificate.

After repeating the above steps for all of your domains, you should finally get a message like this:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/yoursite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/yoursite.com/privkey.pem
Your cert will expire on 2018-**-**. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Copy the 2 file paths since you will need them below. In this example, the 2 file paths are:

/etc/letsencrypt/live/yoursite.com/fullchain.pem

and

/etc/letsencrypt/live/yoursite.com/privkey.pem

You can now remove the .well-known directory that was created on each site. To do this, go back to Terminal 2, and enter this in the root folder for each site:

Back in your Terminal 1, open the fullchain.pem file. You should have noted the path to this file in Step 14 above. Open the file in your local editor, like this (replace “gedit” with your text editor, if needed):

gedit /etc/letsencrypt/live/yoursite.com/fullchain.pem

Copy the top half of the file (only the first certificate). Copy from the first “—–BEGIN CERTIFICATE—–” to the end of the first certificate, “—–END CERTIFICATE—–”

Once you’ve copied it, close the file.

Take what you copied and paste it under “Upload a New Certificate”, where it says, “Paste the certificate into the following text box:”

Type a description and click “Save Certificate.”

Click “Go Back,” and then click “Return to SSL Manager” at the very bottom of page.

Under “Install and Manage SSL for your site (HTTPS),” click “Manage SSL sites.”

Under “Install an SSL Website,” select your first domain. Click “Autofill by Domain” and the certificate should populate in the first box. (All 3 boxes may be automatically populated.)

If the “Private Key (KEY)” field is not filled in: go back to your terminal, open the file privkey.pem (replace “gedit” with your editor, as needed, and also edit the path to the file to match what you copied in Step 14 above):

gedit /etc/letsencrypt/live/yoursite.com/privkey.pem

Copy ALL of it, then close the file.

Back in your hosting account, paste it into the Private Key (KEY) text box.

If the “Certificate Authority Bundle” is not filled in: go back to your terminal, open the fullchain.pem file again to copy the BOTTOM half:

gedit /etc/letsencrypt/live/yoursite.com/fullchain.pem

So, copy from the SECOND “—–BEGIN CERTIFICATE—–” to the end of the file: “—–END CERTIFICATE—–“.

After you copy it, close the file.

Paste it into the Certificate Authority Bundle: (CABUNDLE) text box.

Click “Install Certificate.”

If it’s successful, you should get a response message like this:

SSL Host Successfully Installed
You have successfully configured SSL.
The SSL website is now active and accessible via HTTPS on this domain:
yoursite.com
…

Click “OK” to close the success message.

If you created this certificate for more than one domain, then under “Install an SSL Website”, select your next domain that the certificate is for. However, if this certificate is only for one domain, then skip down to step 19.

Click “Autofill by Domain.” All three boxes should automatically populate.

If the “Certificate Authority Bundle” is not filled in: go back to your terminal and copy the SECOND part of fullchain.pem, just like you did above (in step 11), and paste it into the Certificate Authority Bundle: (CABUNDLE) text box.

Click “Install Certificate.” You should get a success message.

Click “OK” to close the success message. Repeat these last few steps (steps 14 — 18) for any other domains that you added to the certificate.

After a few minutes, you can confirm that the certificate is working by using this SSL Checker.

We've 51 Responses

This is really great, except that you need to repeat the process every 90 days manually.

I was able to script the entire certificate generation part, but haven’t been able to figure out how to replace the certificates on the server via ssh. Do you have any insight on how that part works?

I tried creating the initial certificates using the web interface, and then subsequently replacing the cert files with new ones, but the site still uses the original certs uploaded from the web interface.

Just for follow up, I spoke with GoDaddy and they said that I have to generate the CSR from within cpanel in order to get this to work. I’m not quite sure on the steps needed to do that with Lets Encrypt.

Hi. This step (./certbot-auto certonly --manual) is done on your local machine, not while connected to your GoDaddy hosting account. You should be able to do this right after Part 1. GoDaddy has nothing to do with this step. You don’t connect to GoDaddy until Part 2, Step 7. Hope that helps.

Hi, great tutorial. I’m at Part 2 #13, where I have to verify that files exist on my local machine in /etc/letsencrypt/live. I’m getting a Permission denied error when I try to navigate to that location using console. So, I used finder to navigate to the folder. The “live” folder has a red minus icon and again I get a message saying I don’t have permissions to open it. Additionally, it has no sub folders and the size of the folder reads “Zero bytes”, as do all of the other sub folders in the “letsencrypt” folder that contain a red minus icon. There are however, a couple of .conf files in the “renewal” folder relating to my domain names. Not sure what the problem is. Any help would be great, thank you.

Update: I got it working with a modified version of [LEScript](https://github.com/analogic/lescript). I had to make a few small changes to get OpenSSL working correctly on GoDaddy’s Windows hosting. Changes included adding “openssl.cnf”. The script generates some PEM files. To install them, you simply go into Plesk, select “Secure Your Sites”, then click “Add SSL Certificate”. The files it wants are “private.pem”, “cert.pem”, and “lets-encrypt-x3-cross-signed.pem”. You then go into “Hosting Settings” and select the certificate.

./certbot-auto certonly –manual
“sudo” is not available, will use “su” for installation steps…
Sorry, I don’t know how to bootstrap Certbot on your operating system!
You will need to bootstrap, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.

Okay, yes, but I’m referring to your local computer. Is it Windows? Part 1, and the first few steps of Part 2 are done on your local computer. The Let’s Encrypt ssl certificates will be created on your local computer, and then we upload them to the GoDaddy hosting. (I tested with your same exact hosting plan, and it works well.) But, the first steps with Certbot don’t work on a local Windows computer. I’ve updated the intro above to specify that. Sorry.

Thank you for a very clear guide. However, I would like to suggest some amendments for Mac users.

First, you start by assuming that the OS can use wget. This is not installed by default on Mac OS. To install it is a bit complex but I managed it only to get a message saying it had been deprecated! It referred me to the certbot site which explained that it now needs to be installed with Homebrew using the command ” brew install certbot”.

When it was installed, I could only open some of the folders as they were protected so had to use info and unlock the data to add myself as a read only user and replicate it throughout the directory tree (I could have done this through the terminal but chose not to at the time).

The next problem is that gedit also doesn’t exist on the Mac! I tried vi but it would not let me copy and paste correctly. So I used the installed text editor but of course it cannot navigate to /etc/.

So I had to copy the entire folder to a readable area (I chose my downloads file) and then, at last, I could open the certificates.

All is now installed and working, thanks.

You might want to update the tutorial (as I am sure it will become increasingly popular) to reflect these Mac anomalies.

I will run through your renewal tutorial in 89 days (well, 74 probably) and see if it also needs any Mac based changes.

Finally, have you done a tutorial for adding domains to the existing certificate for idiots like me that forgot to add the www. alternatives when initially generating the certificate?

WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.